Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Vrf
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
highland
n00b
n00b


Joined: 05 Nov 2008
Posts: 57
PostPosted: Fri Jul 06, 2012 5:45 pm    Post subject: Vrf Reply with quote
Hello

I wanted to configure VRF lite/virtual routing tables on my gentoo.
I simulate in QEMU cisco ASA and i wanted to send some traffic thru it.
to do it i use two tap interfaces on my gentoo.
I wanted to send traffic from one tap1 interface to other tap2 interface thru ASA.

So i need VRF functionality on gentoo.
I've configured:

ifconfig tap5 inet 1.1.1.1 netmask 255.255.255.0 up promisc #my int on one side
ifconfig tap6 inet 2.2.2.2 netmask 255.255.255.0 up promisc #my int on the other side

ip rule add table 1
ip rule add table 2
ip rule add iif tap1 table 1 #ASA inside int
ip rule add iif tap5 table 1
ip rule add iif tap4 table 2 #ASA outside int
ip rule add iif tap6 table 2
ip route add 2.2.2.0/24 table 1 dev tap1 via 192.168.0.1
ip route add 1.1.1.0/24 table 2 dev tap4 via 192.168.2.1

!marking from 1.1.1.1 to 2.2.2.2
iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -d 2.2.2.0/24 -j MARK --set-mark 1
!putting traffic from 1.1.1.1 to 2.2.2.2 into routing table 1
ip rule add fwmark 4 table 1


# ip route list table 1
2.2.2.0/24 via 192.168.0.1 dev tap1

When i try from gentoo:
# ping -I tap5 2.2.2.2

my packets does not reach ASA.

Does the mangling works for tap interfaces ?

Has anybody tried to simulate VRF on linux ?

Thanx
Back to top
View user's profile Send private message
papahuhn
Guru
Guru


Joined: 06 Sep 2004
Posts: 539
PostPosted: Fri Jul 06, 2012 6:39 pm    Post subject: Reply with quote
Some things you could try:

- Properly match fwmark with set-mark?
- Use OUTPUT mangle, not PREROUTING, as ping is a local process.
- Avoid the local ping. Use 2 VMs instead, which connect to tap5 and tap6, respectively.

Regards
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
highland
n00b
n00b


Joined: 05 Nov 2008
Posts: 57
PostPosted: Sat Jul 07, 2012 6:35 am    Post subject: Reply with quote
i have too many other VMs to add another 2 to just test ping or telnet connection.
But on the other side my network topology with all those rules and virtual devices becomes very complicated.
Maybe it will be easier using namespaces (LXC) on linux ? Anybody tried it for VRF simulation ?

The main problems are the tools (ping/telnet) which should put the traffic into specific "VRF"...
It's a pity that today linux does not have a proper tools for that... (and also vrf lite support in kernel).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2013 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p9 © 2001, 2002 phpBB Group